Introducing SED:A Way to Mitigate Buffer Overflow Attacks

One of the most common security threats to information systems and the data they protect occurs when an attacker is able to alter his identity and, in so doing, grain control over system resources. Historically, attackers have favored buffer overflows as an attack vector to alter their identity. On UNIX systems attackers typically exploit buffer overflows so that they can assume the identity of the root user. AIX 5L 5300-03 introduces Stack Execution Disable (SED) which prevents the successful exploitation of many types of buffer overflows.

Buffer overflows are the result of programming oversights and can be found in all levels of the software stack. An attacker exploits a buffer overflow by injecting malicious code into various process memory segments and then executing that code under their new identity. As with any security issue, there are several methods to mitigate the risk introduced by buffer overflows. Preventing a system from executing malicious code stops a buffer overflow exploit in its tracks. SED uses functionality introduced in the POWER4 family of processors to prevent code execution in various process memory segments thus thwarting buffer overflow attacks. If an attacker attempts to exploit a buffer overflow a hardware exception is raised to tell SED to terminate the offending program.

SED is highly flexible and configurable. It offers the following features:

The sedmgr command provides a central administration interface for SED.

System administrators can activate SED system wide or for a specific list of programs. For example, SED can be activated for all setuid/setgid programs. Additionally, there are cases where a program may have a legitimate reason to execute code in a process memory segment that typically does not contain executable code. For example, many versions of Java use JIT (just-in-time) compilation to produce executable code. In order for these applications to work, they must be allowed to execute code produced on the fly. SED can allow these applications to work while enforcing restrictions on other applications.

SED can be used in a monitoring mode. Instead of terminating a program, SED can record the program that caused the exception and a system administrator can investigate further. This allows for some normalization to be done before introducing SED into a production environment. This feature could also be used in a honey pot or padded cell environment to study an attacker's actions.

SED can be used with any application. As stated earlier, buffer overflow conditions can exist at any level of the software stack. The sedmgr command allows system administrators to activate SED protection for any program.

SED is integrated with existing operating system facilities such as Error-Logging and Trusted Computing Base (TCB). SED uses the AIX Error-Logging facility to record suspicious activity. This information can be used to uncover potential attacks or in computer security incident investigations.

SED protects against several types of buffer overflow exploits including stack-based and heap-based attacks.

For more information regarding SED see the AIX Security Guide and the sedmgr command documentation.

Browse Power Systems

Next generation applications for big data and analytics and cognitive computing are providing unprecedented insights into opportunities, threats and efficiencies. IBM Power Systems is at the forefront of delivering solutions to gain faster insights from analyzing both structured information and unstructured big data. With the secure, flexible and open platform of IBM Power Systems plus solutions and software, organizations can outpace their competitors by delivering faster services, providing differentiated offerings and turning operational cost into investment opportunity.

Next generation applications for big data and analytics and cognitive computing are providing unprecedented insights into opportunities, threats and efficiencies. IBM Power Systems is at the forefront of delivering solutions to gain faster insights from analyzing both structured information and unstructured big data. With the secure, flexible and open platform of IBM Power Systems plus solutions and software, organizations can outpace their competitors by delivering faster services, providing differentiated offerings and turning operational cost into investment opportunity.

To draw insights and make better decisions, businesses rely on the secure, flexible and open platform of IBM Power Systems. Built with the first processor designed for big data workloads, the design of Power Systems combines the computing power, memory bandwidth and I/O in ways that are easier to consume and manage, building on strong resiliency, availability and security.

To draw insights and make better decisions, businesses rely on the secure, flexible and open platform of IBM Power Systems. Built with the first processor designed for big data workloads, the design of Power Systems combines the computing power, memory bandwidth and I/O in ways that are easier to consume and manage, building on strong resiliency, availability and security.

IBM Power Systems deliver flexibility and choice of operating systems to enable your business to support the next generation applications for big data and analytics and cognitive computing that are transforming how organizations work today. Whether running 1, 2, or all 3 - coupled with PowerVM, they maximize the benefit of Power Systems in your business.

IBM Power Systems deliver flexibility and choice of operating systems to enable your business to support the next generation applications for big data and analytics and cognitive computing that are transforming how organizations work today. Whether running 1, 2, or all 3 - coupled with PowerVM, they maximize the benefit of Power Systems in your business.

Transform your business with Systems Software that enables virtualization, high availability, flexibility, security and compliance on Power Systems™. IBM’s integrated approach to developing Systems and Systems Software together delivers optimized results with Power Systems.

Transform your business with Systems Software that enables virtualization, high availability, flexibility, security and compliance on Power Systems™. IBM’s integrated approach to developing Systems and Systems Software together delivers optimized results with Power Systems.

As an open innovation platform, Power Systems is optimized for big data and analytics performance and to deliver scale-out economics and security for the cloud. IBM and IBM Business Partner solutions exploit key capabilities in IBM Power Systems.

As an open innovation platform, Power Systems is optimized for big data and analytics performance and to deliver scale-out economics and security for the cloud. IBM and IBM Business Partner solutions exploit key capabilities in IBM Power Systems.

Over the last five years thousands of clients have migrated to IBM Power Systems for choice and flexibility. Learn how Power Systems has helped them revolutionize the way IT is developed and delivered, optimize for big data and analytics, and support private, public and hybrid offerings for scale-out or scale-up implementations all while improving business performance, reducing risk, and establishing a platform for growth.

Over the last five years thousands of clients have migrated to IBM Power Systems for choice and flexibility. Learn how Power Systems has helped them revolutionize the way IT is developed and delivered, optimize for big data and analytics, and support private, public and hybrid offerings for scale-out or scale-up implementations all while improving business performance, reducing risk, and establishing a platform for growth.